2.1. Methodology of Web Application Vulnerability Testing

 

Terminology

You may have come across terms such as audit, penetration testing, bug hunting, ethical hacking, and so on. Let's break them down, as some of these terms will be used throughout the course.

Audit: An audit is a systematic review of an organization's processes and procedures to ensure they comply with established policies and standards. An audit involves reviewing documentation and interviewing employees to identify areas of non-compliance and potential risks.

Vulnerability Assessment: This is the process of identifying, quantifying, and prioritizing security vulnerabilities in a system or network. This assessment typically involves the use of automated tools and techniques to scan for known vulnerabilities, such as outdated software, weak passwords, and misconfigurations.

Penetration Testing: Penetration testing involves simulating an attack on a computer system to identify vulnerabilities and assess the effectiveness of existing security measures. Ethical hackers, who use the same tools and techniques as real attackers, typically perform this testing with permission to access the system. Vulnerability assessment and penetration testing share some similarities in their initial stages. However, the primary goal of vulnerability analysis is to find a specific vulnerability, while penetration testing goes further by exploiting the found vulnerability to gain access to the system.

Ethical Hacking: Ethical hacking is the practice of using the same techniques and methods as criminal hackers to identify and exploit vulnerabilities in a system. However, ethical hackers do this with the owner's permission and the goal of improving security rather than causing harm.

Bug Hunting (Bug Bounty): Bug hunting is the process of searching for and identifying software errors (bugs) in computer systems, web applications, mobile applications, and other software products. Bug hunters look for flaws that can lead to various issues, such as security breaches, system crashes, or incorrect functionality. They employ various methods, including manual code analysis and automated scanning tools.

Some companies and organizations run bug bounty programs, where they offer rewards for discovering specific types of bugs. This allows companies to detect and fix issues in their software, enhance security, and build trust with users. For bug hunters, it's an opportunity to improve their testing skills and earn decent money in the process.

 

Testing Methods

When it comes to testing applications and systems, hackers typically employ one of three approaches:

  • White Box Testing: In this approach, a hacker collaborates with the owner of the website or system and receives full access to the system and various other data. This data can include URLs and links to hidden sections of the website, user lists, administrator passwords, access to the application's code, and much more, depending on the testing objectives.
  • Black Box Testing: In contrast to the first approach, a hacker is provided with no information except the website's URL. Therefore, they must rely on their knowledge and expertise to gather as much information as possible about the target, which will enable them to compromise the system.
  • Grey Box Testing: Grey box testing is a combination of the two previous methods. In this approach, the hacker is given partial information by the owner. They have access to some information but not everything.

These testing methods allow hackers to assess the security of a system from different angles, depending on the level of information they have and the goals of the testing.

 

Testing Steps

The testing process is typically divided into several steps, as outlined below:

  • Information Gathering: In this step, information about the target application is collected. This includes its architecture, server-side technologies, databases, network configuration, and more. Various methods are employed, such as port scanning, searching for information in open sources, scanning the web application, code analysis, network traffic interception, and so on.
  • Vulnerability Analysis: During this step, the collected data is analyzed to identify vulnerabilities in the application that could be exploited. This may involve conducting penetration tests, such as buffer overflow tests, SQL injections, XSS attacks, authentication spoofing attacks, and more.
  • Exploitation of Vulnerabilities: In this step, the possibility of exploiting the vulnerabilities identified in the previous step is tested. This can include attempts to crack passwords, session hijacking, altering request parameters, and more.
  • Post-Exploitation: At this stage, the hacker already has access to the system, and they may perform various actions. This can include stealing files and confidential documents, deleting all files and causing other harm to the system, installing a backdoor program that allows them to enter the system repeatedly and discreetly, or launching further attacks on the victim's infrastructure from this computer/server.
  • Report Compilation: In this step, the results of the testing are analyzed, their significance is evaluated, and a report is prepared. The report typically includes a list of discovered vulnerabilities, descriptions of their impact on the application, and advice on how to mitigate these vulnerabilities.

Sometimes, these steps may be combined or broken down into more granular stages, depending on the specific situation and testing requirements.

 

OWASP - Open Web Application Security Project

I'm sure some of you might be wondering, "Is there any guide or checklist that can help beginners quickly understand and start testing in the right sequence?"

Well, there is indeed one, and it's an official guide followed by many companies and professionals in the field of IT security. This document is created by the organization OWASP.

OWASP (Open Web Application Security Project) is a non-profit international organization that focuses on enhancing the security of web applications and other technologies.

This organization creates open standards, guides, and tools to ensure the security of web applications. It also conducts research and vulnerability analysis on web applications and develops methods and tools for their prevention.

Among OWASP projects, we can highlight:

  • OWASP Top 10: This guide lists the most common vulnerabilities in web applications and provides recommendations for addressing them.
  • OWASP ZAP (Zed Attack Proxy): This tool is used for security testing of web applications. It helps detect vulnerabilities and exploit them to assess the application's security. A similar tool is Burp Suite by PortSwigger, and we will cover both tools in this course.
  • OWASP WSTG (Web Security Testing Guide): This is a comprehensive guide for web application testing. It includes descriptions of various network attacks and testing methodologies.
  • OWASP CSS (Cheat Sheet Series): This document is designed for developers and pentesters. It offers recommendations for securing web applications, writing secure code, and defending against network attacks. I believe any security professional should not only be able to test and hack websites but also know how to protect them.
  • OWASP OWTF (Offensive Web Testing Framework): This is another tool, or more accurately, a framework for web application security testing. It's used to find vulnerabilities in applications using methods employed by malicious actors. OWTF provides various tools and techniques for vulnerability discovery, penetration testing, and application security analysis.

The goal of all OWASP projects is to enhance the security of web applications and protect users from cyberattacks. Throughout the course, we will actively use OWASP tools and guides to study ethical hacking.